Installation of Shibboleth on Apache server 


Prerequisites 
1. Operating System: Typically Linux-based (e.g., Ubuntu, CentOS). 
2. Web Server: Apache installed and configured. 
3. Dependencies: 
e Ensure SSL/TLS is enabled on your Apache server. 


e Install required libraries like libcurl, libxml2, and libxerces-c. 


Step-by-Step Installation 
1. Update System 
Ensure your system packages are up-to-date: 
sudo apt update && sudo apt upgrade -y 
2. Install Shibboleth Service Provider 
e Add the Shibboleth repository for your OS: 
e Ubuntu: 


sudo apt install software-properties-common sudo add-apt-repository ppa:shibboleth/sp sudo 
apt update 


e CentOS/RHEL: 
sudo yum install https://shibboleth.net/cgi-bin/sp_repo.cgi?platform=el8 
e Install Shibboleth SP: 


sudo apt install shibboleth-sp2-utils libapache2-mod-shib2 # For Ubuntu sudo yum install 
shibboleth # For CentOS 


3. Enable Shibboleth Module in Apache 
e Enable the Shibboleth module for Apache: 

sudo a2enmod shib2 # For Ubuntu sudo systemctl restart httpd # For CentOS 
e Restart Apache to load the module: 

sudo systemctl restart apache2 

4. Configure Shibboleth 

Edit the main configuration file located at /etc/shibboleth/shibboleth2.xml. 


e Set the entity ID for your service provider (SP): 


<ApplicationDefaults entityID="https://your-sp-domain/shibboleth"> 
e Configure the IdP and SSO settings: 
<SSO entitylD="https://your-idp-domain/idp/shibboleth"> SAML2 </SSO> 
e Ensure the <MetadataProvider> section points to your IdP’s metadata URL: 
<MetadataProvider type="XML" uri="https://your-idp-domain/metadata.xml" /> 
e Save and exit the file. 
5. Secure Communication 


e Ensure the server is using HTTPS. Obtain and configure an SSL certificate for 
your Apache server if not already done. 


6. Update Apache Virtual Host 
Edit your site’s Apache configuration (e.g., /etc/apache2/sites-available/your-site.conf): 


<VirtualHost *:443> ServerName your-sp-domain # Enable Shibboleth for specific paths 
<Location /secure> AuthType shibboleth ShibRequestSetting requireSession 1 Require valid- 
user </Location> </VirtualHost> 


Enable your site and restart Apache: 
sudo a2ensite your-site sudo systemctl restart apache2 
7. Test Shibboleth 
e Visit a protected URL (e.g., https://your-sp-domain/secure). 
e Check the logs: 
e Apache logs: /var/log/apache2/error.log 


e Shibboleth logs: /var/log/shibboleth/shibd.log 


Final Steps 
e Exchange metadata with your Identity Provider (IdP). 
e Validate SSO functionality by accessing your protected application. 


Would you like help configuring the shibboleth2.xml file or setting up the IdP connection? 


1. Overview 
1. Install prerequisites (Java, Tomcat, Apache HTTP Server). 
2. Download and install the Shibboleth IdP software. 
3. Configure the IdP (metadata, LDAP connection, etc.). 


4. Configure Apache as a reverse proxy for the IdP. 


5. Secure the IdP with HTTPS. 


6. Test and verify. 


Step 1: Install Prerequisites 

1.1 Install Java 

Shibboleth IdP requires Java (OpenJDK 11 or later): 

sudo apt update sudo apt install openjdk-11-jdk -y java -version # Verify Java installation 
1.2 Install Apache Tomcat 

Install and configure Tomcat to host the IdP: 


sudo apt install tomcat9 tomcat9-admin tomcat9-common -y sudo systemctl enable tomcat9 
sudo systemctl start tomcat9 


1.3 Install Apache HTTP Server 
Install Apache HTTP Server as a reverse proxy for the IdP: 


sudo apt install apache2 -y 


Step 2: Install Shibboleth IdP 
2.1 Download Shibboleth IdP 
Download the Shibboleth IdP installer: 


wget https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider- 
4.4.0.tar.gz tar -xzf shibboleth-identity-provider-4.4.0.tar.gz cd shibboleth-identity-provider- 
4.4.0 


2.2 Run the Installer 

Run the installation script and provide required details: 

sudo ./install.sh 
e Specify the installation directory (e.g., /opt/shibboleth-idp). 
e Provide a hostname for the IdP (e.g., idp.example.com). 


e Seta password for encryption keys. 


Step 3: Configure Shibboleth IdP 
3.1 Configure IdP Properties 
Edit idp.properties located at /opt/shibboleth-idp/conf/: 


sudo nano /opt/shibboleth-idp/conf/idp.properties 


e Update the host: 
idp.entityID=https://idp.example.com/idp/shibboleth idp.scope=example.com 
e Configure LDAP (Active Directory) connection: 


idp.authn.LDAP.ldapURL=ldap://ad.example.com:389 
idp.authn.LDAP.baseDN=dc=example,dc=com 
idp.authn.LDAP. bindDN=cn=admin,dc=example,dc=com 
idp.authn.LDAP. bindDNCredential=password 


3.2 Configure Metadata 


Edit the metadata file /opt/shibboleth-idp/metadata/idp-metadata.xml to define your IdP entity 
details: 


<EntityDescriptor entityID="https://idp.example.com/idp/shibboleth" 
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor 
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor 
use="signing"> <Keylnfo> <X509Data> <X509Certificate>...</X509Certificate> </X509Data> 
</KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <Keylnfo> <X509Data> 
<X509Certificate>...</X509Certificate> </X509Data> </Keylnfo> </KeyDescriptor> 
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="https://idp.example.com/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> 
</EntityDescriptor> 


Step 4: Configure Apache 

4.1 Enable Required Modules 

Enable the proxy and SSL modules in Apache: 

sudo a2enmod proxy proxy_http ssl sudo systemctl restart apache2 
4.2 Configure Reverse Proxy 

Edit the Apache site configuration: 

sudo nano /etc/apache2/sites-available/idp.conf 

Add the following configuration: 


<VirtualHost *:443> ServerName idp.example.com ProxyPreserveHost On ProxyPass /idp 
http://localhost:8080/idp ProxyPassReverse /idp http://localhost:8080/idp SSLEngine On 
SSLCertificateFile /etc/ssVcerts/idp.crt SSLCertificateKeyFile /etc/ssl/private/idp.key 
</VirtualHost> 


Enable the site and restart Apache: 


sudo a2ensite idp sudo systemctl reload apache2 


Step 5: Secure with SSL 


Obtain and configure an SSL certificate for your IdP domain using Let's Encrypt or another 
certificate authority: 


sudo apt install certbot python3-certbot-apache -y sudo certbot --apache -d idp.example.com 


Step 6: Test the IdP 
12. Access the IdP endpoint: https://idp.example.com/idp. 
13. Verify LDAP authentication by testing login with an AD user account. 


14. Exchange metadata with a Service Provider (SP) to complete integration. 


Would you like assistance with a specific part, such as LDAP or metadata configuration? 


How to Integrate shibboleth ldp with Active Directory? 


Integrating Shibboleth Identity Provider (IdP) with Active Directory (AD) involves configuring the 
IdP to use AD as an LDAP directory for user authentication and attribute resolution. Here's a 
step-by-step guide: 


Step 1: Prerequisites 
15. Shibboleth IdP: Installed and running on your server. 
16. Active Directory: Access to an AD server, including: 


e LDAP Connection: Hostname, port (default: 389 for LDAP, 636 for 
LDAPS). 


e Base DN: e.g., dc=example,dc=com. 


e Bind Credentials: Username (e.g., cn=admin,dc=example,dc=com) and 
password. 


Step 2: Configure LDAP Authentication 

Edit the Shibboleth IdP authentication configuration files. 

2.1 Edit idp.properties 

Locate and edit the file /opt/shibboleth-idp/conf/idp.properties: 
properties 


# Define LDAP authentication settings idp.authn.LDAP.ldapURL = ldap://ad.example.com:389 
idp.authn.LDAP.useStartTLS = true idp.authn.LDAP.baseDN = dc=example,dc=com 
idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=com idp.authn.LDAP.bindDNCredential = 
your-password 


2.2 Edit ldap-authn-config.xml 
Edit the file /opt/shibboleth-idp/conf/authn/ldap-authn-config.xml: 


<bean id="shibboleth.authn.LDAP" 
class="net.shibboleth.idp.authn.impl.LDAPAuthenticationHandler"> <property 
name="ldapURL" value="%{idp.authn.LDAP.ldapURL}" /> <property name="useStartTLS" 
value="%{idp.authn.LDAP.useStartTLS}" /> <property name="baseDN" 
value="%f{idp.authn.LDAP.baseDN}" /> <property name="bindDN" 
value="%{idp.authn.LDAP. bindDN}" /> <property name="bindDNCredential" 
value="%{idp.authn.LDAP. bindDNCredential}" /> </bean> 


Step 3: Configure Attribute Resolution 

Attribute resolution defines which user attributes (e.g., name, email) are retrieved from AD. 
3.1 Edit attribute-resolver.xml 

Edit the file /opt/shibboleth-idp/conf/attribute-resolver.xml: 


<!-- Define the LDAP Data Connector --> <DataConnector id="myLDAP" 
xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"> <LDAPProperty 
name="ldapURL"value="ldap://ad.example.com:389"/> <LDAPProperty name="baseDN" 
value="dc=example,dc=com"/> <LDAPProperty name="bindDN" 
value="cn=admin,dc=example,dc=com"/> <LDAPProperty name="bindDNCredential" 
value="your-password"/> <ReturnAttributes>cn mail sAMAccountName</ReturnAttributes> 
</DataConnector> <!-- Define attributes to resolve --> <AttributeDefinition id="uid" 
xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> <InputDataConnector 
ref="myLDAP" attriputeNames="sAMAccountName"/> </AttributeDefinition> 
<AttributeDefinition id="mail" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> 
<InputDataConnector ref="myLDAP" attributeNames="mail"/> </AttributeDefinition> 
<AttributeDefinition id="cn" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"> 
<InputDataConnector ref="myLDAP" attributeNames="cn"/> </AttributeDefinition> 


Step 4: Test LDAP Connection 
Verify connectivity to AD using tools like ldapsearch: 


ldapsearch -x -H ldap://ad.example.com -D "cn=admin,de=example,dc=com" -w your-password 
-b "dc=example,dc=com" 


Look for user entries and ensure the attributes (e.g., sAMAccountName, mail) are accessible. 


Step 5: Update Metadata 
5.1 Edit idp-metadata.xml 


Ensure the IdP metadata at /opt/shibboleth-idp/metadata/idp-metadata.xml contains 
endpoints for the IdP: 


<EntityDescriptor entityID="https://idp.example.com/idp/shibboleth" 
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <IDPSSODescriptor 
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <SingleSignOnService 
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
Location="https://idp.example.com/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> 
</EntityDescriptor> 


Exchange this metadata with your Service Providers (SPs) for integration. 


Step 6: Restart Shibboleth IdP 
After making configuration changes, restart the IdP: 


sudo systemctl restart tomcat9 


Step 7: Test Integration 


17. Access the IdP login 
page: https://idp.example.com/idp/profile/SAML2/Redirect/SSO. 


18. Log in with an AD user. 


19. Verify attribute resolution by inspecting the SAML assertion (use tools like SAML 
Tracer). 


20. Testing the integration between Shibboleth IdP and Active Directory involves 
validating both authentication and attribute resolution. Here’s how to thoroughly 
test the integration: 


21. 

22. 1. Test LDAP Connection 

23. Before testing Shibboleth IdP, ensure it can connect to Active Directory (AD): 
24. Command-Line LDAP Test 

25. Use ldapsearch to verify connectivity: 


26. ldapsearch -x -H ldap://ad.example.com -D "cn=admin,dc=example,dc=com" -w 
your-password -b "dc=example,dc=com" "(sAMAccountName=username)" 


27. Replace: 

28. ad.example.com with your AD hostname. 

29. admin,dc=example,dc=com with your bind DN. 
30. username with a sample AD user. 

31. Expected Output: 


32. User attributes like cn, mail, sAMAccountName, etc. 
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If the test fails, troubleshoot: 

Host/Port: Ensure AD is reachable and the port (389/636) is open. 
Credentials: Verify bind DN and password. 

Base DN: Ensure it points to the correct part of your directory tree. 
2. Enable Shibboleth Debug Logs 


To see detailed logs of LDAP authentication and attribute resolution, enable 
debug mode in Shibboleth: 


Edit logback.xml 
Modify /opt/shibboleth-idp/conf/logback.xml: 


<logger name="net.shibboleth" level="DEBUG"/> <logger name="org.ldaptive" 
level="DEBUG"/> 


Restart Shibboleth: 

sudo systemctl restart tomcat9 

Check logs at: 
/opt/shibboleth-idp/logs/idp-process.log 
3. Test SSO Authentication 

3.1 Access the IdP Login URL 

Open a browser and navigate to: 
https://idp.example.com/idp/profile/SAML2/Redirect/SSO 
You should see a login page. 

3.2 Log In with an AD User 

Use valid AD credentials to log in. 


If authentication succeeds, you should be redirected to a "success" page or the 
Service Provider (SP). 


Troubleshooting Login Issues 


Check idp-process.log: Look for LDAP-related errors (e.g., incorrect credentials, 
base DN issues). 


Verify Certificates: If using LDAPS, ensure the certificate for AD is valid and 
trusted by the IdP. 


4. Test Attribute Resolution 
4.1 Use a Test SP 


Set up a simple SAML SP or use an existing one configured with your IdP. 
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4.2 Inspect SAML Assertion 


Use tools like SAML Tracer (a browser plugin) to capture SAML responses. Look 
for: 


Attributes: Ensure expected attributes like sAMAccountName, mail, cn are 
included. 


Authentication Details: Verify the user is authenticated correctly. 
4.3 Debug Attribute Issues 
Check idp-process.log for attribute resolver errors. 


Verify attribute mappings in /opt/shibboleth-idp/conf/attribute-resolver.xml. 


5. Test Metadata Exchange 

Ensure the IdP metadata is shared with SPs and vice versa: 

SP Metadata: Should point to the IdP’s SSO endpoints. 

IdP Metadata: Ensure SP entity IDs and endpoints are correct. 
Example IdP Metadata Validation 

Access the IdP metadata URL: 
https://idp.example.com/idp/metadata 

Validate the XML structure. 


Check that the entity ID matches your configuration. 


6. Verify End-to-End SSO 
Log in to the SP (e.g., a test application). 
The SP should redirect you to the IdP for authentication. 


After logging in at the IdP, you should be redirected back to the SP and logged in. 


7. Automate Tests 
For large-scale deployments, consider using testing tools like: 
TestShib: A public SP for testing SAML IdP configurations (TestShib.org). 


SAMLtest: A SAML assertion validation tool (samltest.id). 


Logs to Monitor 


IdP Logs: 
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/opt/shibboleth-idp/logs/idp-process.log 
/opt/shibboleth-idp/logs/idp-warn.log 
Tomcat Logs: 
/var/log/tomcat9/catalina.out 

Apache Logs: 
/var/log/apache2/access.log 


/var/log/apache2/error.log 


